So far we have talked about indispensable role that the password plays in our lives on the web. But a password is simply one piece of a larger mechanism that we refer to as Authentication. This is simply the process by which we prove that we are who we say we are. Passwords are the most common method of authentication and they are prolific on the internet.

The First Factor: Something That You Know

A password is something that you know. It satisfies the first factor of authentication. This is why it has become so prolific on the web. It’s comparatively easy for a website owner to implement a password style authentication.

There is a problem with passwords however: You might not be the only person that knows this piece of information. And even worse, you might not be the only person that can guess this piece of information.

The Second Factor: Something That You Have

Another way that a user could be authenticated is to check for the presence of something that a person possesses. This could be a cell phone, a smart watch, a personal smart key (yubikey) or any number of other devices that can provide a unique identification.

There are many ways that the second factor of authentication can be validated. You may already use some of them:

• SMS or Emailed One Time Password
• Authenticator Application (Time or HMAC-based One Time Password)
• Hardware Token (Yubikey, RSA SecurID)

One Time Passwords

A One Time Password (OTP) is a short password that, like the name implies, is only good for a single session or login. The concept is pretty simple, you have requested access to some secured system and the entity that is validating your authentication will generate a single use passcode and send it to your device.

The one time password is generally sent to a phone number via SMS or an email address. The assumption is that your phone or email is secure and only you have access to this information. However, one small hiccup in this authentication method is that both SMS and email are not secure systems by default. It can be possible for a nefarious actor to intercept the passcode before it reaches you, causing a bit of an issue.

Authenticator Applications

An Authenticator Application can solve this problem of transmitting the one time password via SMS or email. An Authentication application uses a shared key or “secret” that is setup prior to attempting authorization. Using this secret key the authenticator app can generate one time passwords that are only valid for about 60 seconds. The other advantage is that there is no transmission of data, so no one can oversee the generated passcode. This provides a higher level of security than the previous example.

In contrast to an application that you may have on your cellphone a Hardware Token comes with a built in shared key. These provide the same functionality as an Authenticator Application, but in a completely separate isolated environment. The devices usually look like USB flash drives, and there are a few different iterations of the devices.

Hardware Tokens

The RSA SecurID system provides a small device with a display that generates a new one time password every 60 seconds. It’s powered by a small watch battery and lasts for many years. These are generally produced by companies and sent to users upon request. For example, your bank may allow you to request one of these hardware keys to secure your online accounts.

Another type of harware token, the YubiKey, is designed insert into your computer via a USB port, or to connect to a cellphone with near field communication (NFC). This device generates the keys and passes them along to the computer or phone that is performing the authentication. Check them out at www.yubico.com.

Two Factor Authentication (2FA)

The most common way that a you experience this second factor of authentication is through Two-Factor Authentication (2FA). Although strictly speaking this is usually presented as a combination of the first and second factors of authentication. In other words you have to provide two of the three items in this list to pass authentication. Most of the time that means that you need to provide some type of one time password when trying to authenticating.

The Third Factor: Something That You Are

A more commonly known name for the third factor of authentication is Biometrics. Anyone who has ever seen a spy movie knows what biometrics are. The hero (or potentially the villain) is trying to break into some “secure” facility and they have to get past a fingerprint reader or a retinal scan, etc. This is the concept behind biometrics. Authentication is based on something physically about your being.

In fact, if you have bought a cell phone in the past few years, you might have a biometric system hanging out in your pocket! Fingerprint readers are becoming ubiquitous on new cellphones because they provide quicker access than trying to type out a complex password or even a short PIN on your phone’s tiny touch keyboard. And if used properly these systems can provide added security to your device.

Touch ID and Face ID

Apple’s Touch ID and Face ID phone unlock methods are based on biometrics. Of course Touch ID is for fingers and Face ID applies biometrics to the composition of your face. But if the movies have taught us anything, neither of these authentication methods is perfect.

According to Apple’s FaceID Security Guide, the chances of a random person being able to open your phone that is protected with Face ID is about 1 in 1 million. In contrast, the security of Touch ID is claimed to be about 1 in 50,000. The camera that provides Face ID authentication is a 3D infrared camera. This means that it works in the dark and can even verify your identity if you are wearing sunglasses (except for one of my pairs of cheap sunglasses for some reason).

Granted, there is a little bit of a chance that a random person could pick up your phone and unlock it with their finger or with their face. But unless your in the habit of passing your phone full of secure information around a stadium just to see what happens or you have an identical twin–if you didn’t know identical twins have different fingerprints–that you don’t trust, you’re most likely going to be very happy with the convenience and security of these systems.